Skip to main content

View Diary: There's Good News and Bad News about the NSA and your Personal Passwords (189 comments)

Comment Preferences

  •  Hence the suggestion to use password managers (6+ / 0-)

    Most people wouldn't know a strong password if they saw it and need help, and no one is going to keep 20+ passwords in their heads.

    The basic, free versions of some apps are adequate to improve safety if they are used and not difficult.

    For my personal devices I use 1Password, a paid app, but free apps like KeePass have pretty much the same features.

    400ppm : what about my daughter's future?

    by koNko on Sun Jul 28, 2013 at 05:07:30 AM PDT

    [ Parent ]

    •  What about the ones that come with security apps (2+ / 0-)
      Recommended by:
      koNko, jamess

      like Norton, or that are built into some browsers? Are they any good?

      "Liberty without virtue would be no blessing to us" - Benjamin Rush, 1777

      by kovie on Sun Jul 28, 2013 at 06:28:34 AM PDT

      [ Parent ]

      •  I don't know about Norton (3+ / 0-)
        Recommended by:
        kovie, jamess, KenBee

        I mainly use OSX and Linux where Norton is not much of a player, and the Windows workstations we have at work are covered by a turn-key solution from Kaspersky.

        But the basic features you would want are a management system with a master password (the administrator level), a keychain to manage the passwords and auto-login accounts, and a strong password generator so that (a) you have no duplicates and (b) they are at least 9 or more digits and use random generated alpha, numeric and symbol codes.

        If you go to the (linked ) 1Password site they show the features and screenshots that explain these functions, KeePass has essentially similar features but is Free.

        I chose 1Password because I host my own OSX VPN server and use OSX across a home network and MacBook, and that app is well developed for OSX, but it's a bit expensive.

        KeePass has a good reputation in the Linux, OSX and Windows community, and I think they even have iOS and Android extensions now.

        But if Norton has equivalent features and is already installed, try it.

        400ppm : what about my daughter's future?

        by koNko on Sun Jul 28, 2013 at 07:17:27 AM PDT

        [ Parent ]

        •  Stupid question (3+ / 0-)
          Recommended by:
          jamess, koNko, KenBee

          What's a "keychain" in this instance? Is that a physical plug-in device to make it harder for someone to crack your passwords without it?

          Also, I don't know if Norton can randomly generate strong passwords. The part of it that I do know about is that it manages your personally-generated passwords for all the sites you visit, whether strong or not.

          Finally, my concern with all these tools is that the NSA is almost certainly trying to obtain backdoor access to them such that no matter how strong and secure your passwords are, it can crack them without your knowledge, and the firms or people who create these tools are forbidden by law to tell you about it. This is probably more likely with larger, US-based ones like Symantec, I'm guessing.

          "Liberty without virtue would be no blessing to us" - Benjamin Rush, 1777

          by kovie on Sun Jul 28, 2013 at 07:24:30 AM PDT

          [ Parent ]

          •  Not stupid (2+ / 0-)
            Recommended by:
            kovie, KenBee

            A keychain is what it sounds like.  

            Basically, it is a secure database of user credentials (username, password) which automates secure log-in transactions and (typically) can operate across multiple devices if set-up to do so, requiring a host device or network location (such as a servers or dropbox account).

            In simplest form, such as the current native keychain in OSX, the user creates an account with a master key (password) and then manually creates or uses established credentials when logging on an account. Once activated, the keychain will automatically sense a new account transaction and ask if it should be added. Once added, subsequent transactions will be automated, i.e., when you hit a log-in button the keychain will negotiate an encrypted transfer of the credentials.

            Even in this basic type, there are 3 advantages:

            (a) Various passwords for various accounts will be maintained, including periodic changing if you wish. You don't have to remember or save them to a separate secured log because the keychain manages it.

            (b) Transmitted data is typically encrypted with a one time key.

            (c) Since it is automated, there is no typing involved so if your computer has been infected with a key-logger virus, it detects nothing.

            Because of (b) and (c), financial transactions using live accounts and passwords are more safe since typically, the standardized number of digits used in accounts (particularly credit cards) are ripe for hacking if keyed-in or un-salted (salting before encryption adds digits and produces a more complex encryption).

            Keychains with more advanced features such as password generators further improve security by:

            (d) facilitating longer passwords (mine is set for 24 and falls back to 19 or 12 digits)

            (e) generating random strings of alpha, numeric and punctuation codes

            (f) creating a unique set of credentials for each account so that if one happens to get hacked, the credentials cannot be used to hack other accounts, a very common problem.

            (g) some allow use of biometric data or other external authentication keys.

            For example, I work in a secure environment with user levels and to log in requires not just a password but a thumb print, and in some cases, transactions require a "two man rule" transaction where both parties have to authenticate with biometrics, difficult to defeat.

            BTW, as biometrics become more common on consumer devices such as mobile phones, security can improve.

            So like a keychain holding keys for your house, car, office etc., a digital keychain keeps your credential organized and safer.

            Generally, the longer, more random and complex a password, the harder it is to crack and typically, 12 to 20+ characters mixing upper/lower case letters, number and punctuation is what would be considered "complex" and difficult to crack by NSA or whomever.

            And spies and crooks LOVE key loggers, so avoiding that thwarts acquisition of credentials by that means.

            If you go to the first article I linked, it provides a good, up to date explanation of the current situation including typical problems and good practice.

            Why I recommend using a keychain app is it's a lot of work to manage a portfolio of accounts and passwords, and nearly impossible to remember many unique and complex passwords, so people tend not to do it. A keychain facilitates using best practice.

            Any you avoid the frustration of lost passwords.

            400ppm : what about my daughter's future?

            by koNko on Sun Jul 28, 2013 at 10:47:33 AM PDT

            [ Parent ]

            •  That's what I wanted to know, thanks (2+ / 0-)
              Recommended by:
              KenBee, koNko

              I just pictured an actual, physical keychain, with a USB-type dongle on it that had to be physically inserted into a computer to allow password access. I'm sure that in very high-security situations such as a nuke-carrying sub or in the data centers of banks they actually do add an extra, physical layer of security such as this, but you're talking about virtual, not literal keychains.

              Are there actually such dongles for consumer use, and is there any reason to use one over a purely digital solution for most people?

              "Liberty without virtue would be no blessing to us" - Benjamin Rush, 1777

              by kovie on Sun Jul 28, 2013 at 11:20:33 AM PDT

              [ Parent ]

              •  NSA exploits dongles! (2+ / 0-)
                Recommended by:
                terabytes, kovie

                Stuxnet was delivered in a USB. Brilliant work, actually.

                I still have 2 physical dongles, one at work to authenticate Autocad, one for a bank account. Outdated idea.

                I work in a secure environment (design IP) in a big company running Oracle for business process and various Linux based applications for design. In secured areas such as I work, no non-company devices are allowed (your phone, tablets & PCs go in a locker) and USB drives are strictly forbidden. If you plug in any unauthorized storage device, the system node you are on will automatically isolate and a guy from IT and another from Security will arrive to investigate.

                Any yet, there are nuclear facilities, etc. where USBs are allowed. And NSA admins just got a 2 man rule after Snowdon.


                "Free" USB drives are a common way viruses are introduced to the wild. I avoid them at all cost. I have one personal USB driven and that is it.

                400ppm : what about my daughter's future?

                by koNko on Sun Jul 28, 2013 at 06:57:54 PM PDT

                [ Parent ]

                •  For the life of me (0+ / 0-)

                  I don't understand why thumb drives are being marketed to children with cute cartoon figure designs. What do kids use these for and isn't this a great way to spread viruses? Anyway, I can see why these precautions are used in some work environments, but I'd think that an official, work-supplied thumb drive could provide extra protection. But I'm no expert, so what do I know.

                  "Liberty without virtue would be no blessing to us" - Benjamin Rush, 1777

                  by kovie on Sun Jul 28, 2013 at 08:43:12 PM PDT

                  [ Parent ]

      •  I checked the Norton site (1+ / 0-)
        Recommended by:

        They have several different products but "ONE" and "360" have what seems to be a keychain function to manage passwords and secure passwords and perform log-ins, but it's not clear on whether it generates strong passwords or the options.  The description is:

        Remembers, secures and automatically enters usernames and passwords to speed up log-ins and prevent cybercriminals from stealing your information

        If you already have this installed, suggest to check the user guide.

        400ppm : what about my daughter's future?

        by koNko on Sun Jul 28, 2013 at 07:28:28 AM PDT

        [ Parent ]

      •  By the way (3+ / 0-)
        Recommended by:
        kovie, KenBee, terabytes

        I neglected to answer one question.

        I personally do NOT use the keychains in browsers because they (browsers) are a prime target for hacks.

        So in the rare case I have to use a browser such as Firefox in some legacy Javascript sites (Chrome and Safari no longer support Javascript) I do not allow the browser to save the data and I clear the cache when I am done.

        In OSX, you can use the native keychain with either Safari, Chrome, Opera or Firefox without allowing the browser to save the form data, but it does not yet have password generation capability. The next release of OSX will have password generation, but I would probably stick with 1Password since I already use it several years.

        400ppm : what about my daughter's future?

        by koNko on Sun Jul 28, 2013 at 11:08:14 AM PDT

        [ Parent ]

    •  KeePass (3+ / 0-)
      Recommended by:
      koNko, jamess, KenBee

      works well and is easy to use

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site